CN107070880A - A kind of method and system of single-sign-on, a kind of authentication center's server - Google Patents

A kind of method and system of single-sign-on, a kind of authentication center's server Download PDF

Info

Publication number
CN107070880A
CN107070880A CN201710084420.6A CN201710084420A CN107070880A CN 107070880 A CN107070880 A CN 107070880A CN 201710084420 A CN201710084420 A CN 201710084420A CN 107070880 A CN107070880 A CN 107070880A
Authority
CN
China
Prior art keywords
token
user
signed
request
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710084420.6A
Other languages
Chinese (zh)
Inventor
田尚杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201710084420.6A priority Critical patent/CN107070880A/en
Publication of CN107070880A publication Critical patent/CN107070880A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a kind of method and system of single-sign-on, a kind of authentication center's server, this method, applied to authentication center's server, including:Receive and initiate the request for applying for token that the system of logging request is sent;Obtain the user profile of the corresponding user of request of application token;According to the request of application token, token is generated;Preserve the authentication information and user profile of token;Token is sent to the system for initiating logging request, so that the system for initiating logging request sends token to the system to be signed in;Receive the token that the system to be signed in is sent;According to the authentication information of the token of preservation, the token that the system to be signed in is sent is verified, when token is by verifying, allow a user to log into the system to be signed in, user profile is sent to the system to be signed in, so that the system to be signed in creates the user conversation of user according to user profile.The present invention can improve the security of single-sign-on.

Description

A kind of method and system of single-sign-on, a kind of authentication center's server
Technical field
The present invention relates to field of computer technology, in more particularly to a kind of method and system of single-sign-on, a kind of certification Central server.
Background technology
With the fast development of science and technology, same user may register with account in multiple different application systems, Also multiple application systems are generally comprised in same enterprise, the application that by single-sign-on User logs in can be facilitated different is System.
In the prior art, when user logs in some application system for the first time by gate system, it is necessary to enter to the user Row authentication, when the user logs in next time, without carrying out authentication again, and can be directly logged onto the gate system In each corresponding application system.For example, gate system correspondence application system A and application system B, user A are logical for the first time , it is necessary to authentication be carried out to user A, by can just be stepped on after authentication with single-point when crossing door system login application system A Application system A is recorded, when user A logins next time, without carrying out authentication again, also, user A directly can also pass through door System single-sign-on is into application system B.
Visible by foregoing description, in the prior art in the scheme of single-sign-on, disabled user can be easily using legal Record access each application system when user logs in for the first time, security is relatively low.
The content of the invention
The embodiments of the invention provide a kind of method and system of single-sign-on, a kind of authentication center's server, Neng Gouti The security of high single-sign-on.
In a first aspect, the embodiments of the invention provide a kind of method of single-sign-on, applied to authentication center's server, bag Include:
Receive and initiate the request for applying for token that the system of logging request is sent;
Obtain the user profile of the corresponding user of request of the application token;
According to the request of the application token, token is generated;
Preserve the authentication information and the user profile of the token;
The token is sent to the system of the initiation logging request, so that the system for initiating logging request is to will step on The system recorded sends the token;
The token that the system to be signed in described in receiving is sent;
According to the authentication information of the token of preservation, the token that the system to be signed in is sent is tested Card, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to be signed in to described System sends the user profile, so that the system to be signed in creates the user of the user according to the user profile Session.
Further, the request of the application token includes:The corresponding system to be signed in of the token Destination address;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:Receive the system to be signed in The time difference of the time for the token sent and the generation time of the token are not more than the token out-of-service time length, and The address of system of the destination address preserved with sending the token is identical, if it is, to be signed in described in judging The token that system is sent by checking, otherwise, it is determined that the token sent of the system to be signed in not over Checking.
Further, before the request for the application token that the system for receiving initiation logging request is sent, further Including:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication, Perform described receive and initiate the request for applying for token that the system of logging request is sent, when the user is not over authentication When, terminate current process.
Further, this method further comprises:When the token is by verifying, the token is destroyed.
Second aspect, the embodiments of the invention provide a kind of authentication center's server, including:
First receiving unit, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit, the user profile of the corresponding user of request for obtaining the application token;
Generation unit, for the request according to the application token, generates token;
Storage unit, authentication information and the user profile for preserving the token;
Transmitting element, sends the token, so that the initiation is logged in and asked for the system to the initiation logging request The system asked sends the token to the system to be signed in;
Second receiving unit, for receiving the token that the system to be signed in is sent;
Authentication unit, for the authentication information of the token according to preservation, sends to the system to be signed in The token is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to The system to be signed in sends the user profile, so that the system to be signed in is created according to the user profile The user conversation of the user.
Further, the request of the application token includes:The corresponding system to be signed in of the token Destination address;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than described Token out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is, The token that the system to be signed in described in judging is sent is by checking, otherwise, it is determined that the system to be signed in is sent The token not over checking.
Further, authentication center's server further comprises:3rd receiving unit, for receiving user's input User authentication information;
Identity authenticating unit, for carrying out authentication to the user according to the user authentication information, is used when described When family is by authentication, first receiving unit is triggered, when the user is not over authentication, terminates current stream Journey.
Further, the authentication unit, is further used for when the token is by verifying, destroys the token.
The third aspect, the embodiments of the invention provide a kind of system of single-sign-on, including:
Authentication center's server as described in any in second aspect, at least one be provided with logging request blocker be System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to step on The system recorded;
Logging request blocker in the system for initiating logging request, for being sent to authentication center's server Apply for the request of token, receive the token that authentication center's server is sent, the token, which is sent to, described will sign in System;
Logging request blocker in the system to be signed in, the system hair for intercepting the initiation logging request The token come, sends the token to authentication center's server, is sent when receiving authentication center's server User profile when, according to the user profile create user conversation.
Further, the logging request blocker in the system for initiating logging request, sends for receiving user The request for the system to be signed in, judges whether the user has logged in authentication center's server described in logging in, if it is, The request for being sent to authentication center's server and applying for token is then performed, otherwise, the user is redirected to described The login interface of authentication center's server, so that described input user authentication information by the login interface;
Authentication center's server, is further used for testing by the user that the login interface receives user's input Demonstrate,prove information;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, held Described receive of row initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication When, terminate current process.
In embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received Token be sent to authentication center's server and verified, only by checking after, the system to be signed in can just be directed to the use Family creates user conversation, realizes User logs in the system to be signed in, if user does not have a token, or token not over Checking, the system that can not be all signed in improves the security of single-sign-on.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart of the method for single-sign-on that one embodiment of the invention is provided;
Fig. 2 is the flow chart of the method for another single-sign-on that one embodiment of the invention is provided;
Fig. 3 is a kind of schematic diagram for authentication center's server that one embodiment of the invention is provided;
Fig. 4 is the schematic diagram for another authentication center's server that one embodiment of the invention is provided;
Fig. 5 is a kind of schematic diagram of the system for single-sign-on that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of method of single-sign-on, applied to authentication center's server, This method may comprise steps of:
Step 101:Receive and initiate the request for applying for token that the system of logging request is sent;
Step 102:Obtain the user profile of the corresponding user of request of the application token;
Step 103:According to the request of the application token, token is generated;
Step 104:Preserve the authentication information and the user profile of the token;
Step 105:The token is sent to the system of the initiation logging request, so that the initiation logging request is Unite and send the token to the system to be signed in;
Step 106:The token that the system to be signed in described in receiving is sent;
Step 107:According to the authentication information of the token of preservation, the order sent to the system to be signed in Board is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, is wanted to described The system signed in sends the user profile, so that the system to be signed in creates described use according to the user profile The user conversation at family.
In embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received Token be sent to authentication center's server and verified, only by checking after, the system to be signed in can just be directed to the use Family creates user conversation, realizes User logs in the system to be signed in, if user does not have a token, or token not over Checking, the system that can not be all signed in improves the security of single-sign-on.
In an embodiment of the present invention, the request of the application token includes:To be logged in described in the token is corresponding The destination address of the system arrived;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:Receive the system to be signed in The time difference of the time for the token sent and the generation time of the token are not more than the token out-of-service time length, and The address of system of the destination address preserved with sending the token is identical, if it is, to be signed in described in judging The token that system is sent by checking, otherwise, it is determined that the token sent of the system to be signed in not over Checking.
In embodiments of the present invention, the term of validity of token is limited by token out-of-service time length, it is to avoid token is always In effective state, once this token is obtained by disabled user, very big security threat is caused to single-sign-on.Pass through mesh Mark address to limit the use scope of token so that each token can only log in the corresponding system to be signed in, it is to avoid same Individual token can log in multiple systems, and larger security threat is caused to single-sign-on.Wherein, token out-of-service time length takes Value scope can be [500 milliseconds, 5 seconds].For example:Token out-of-service time length is 1 second, 2 seconds etc..
In an embodiment of the present invention, it is described receive initiate logging request system send application token request it Before, further comprise:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication, Perform described receive and initiate the request for applying for token that the system of logging request is sent, when the user is not over authentication When, terminate current process.
In embodiments of the present invention, only may be eligible to obtain order by the user of the authentication of authentication center's server Board.By causing the security of single-sign-on higher to authentication and token authentication.
In an embodiment of the present invention, this method further comprises:When the token is by verifying, the order is destroyed Board.
In embodiments of the present invention, a token is used only once, it is to avoid token is reused, and can reduce token The probability for being illegally accessed and using, improves the safety of single-sign-on.
As shown in Fig. 2 the embodiments of the invention provide a kind of method of single-sign-on, this method takes applied to authentication center Business device, in embodiments of the present invention, the system for initiating logging request are system A, and the system to be signed in is system B.User needs Will be from system A single-sign-ons into system B.This method may comprise steps of:
Step 201:Pre-set token out-of-service time length.
Step 202:The request for the application token that reception system A is sent, the request of this application token includes system B target Address.
Specifically, application token request can be:http(s):The host addresses of // authentication center server/ asktokenThe address of the url=systems to be signed in.
For example, application token request can be:http(s):The host addresses of // authentication center server/ asktokenUrl=destination addresses.
Step 203:Destination address is obtained from the request of application token.
Step 204:Obtain the user profile of the corresponding user of request of application token.
User profile can be obtained from the session set up with system A.
User profile can include:ID of user etc. is used for the information for setting up user conversation.
Step 205:According to the request of application token, token is generated.
Specifically, a GUID (Globally Unique Identifier, GUID) lattice can be generated The character string of formula, regard the character string as token.
The logging request blocker for initiating token application request is returned to as token.
Step 206:Preserve generation time, destination address and the user profile of token.
Specifically, the generation time of user profile, the token related to token and destination address can be generated a note Recording playback is in set to be verified is waited.When preserving destination address, the URL (Uniform of the request of application token can be directly preserved Resoure Locator, uniform resource locator).
Step 207:Token is sent to system A, so that system A sends token to system B.
Specifically, token can be sent to system B by system A by following form:
http(s):// system B host addresses/sso/ tokens.
Step 208:The token that reception system B is sent.
Specifically, system B is received after the token of system A transmissions, and the token is sent into authentication center's server progress Certification.
Token can be sent to authentication center's server by system B by following form:
http(s):Host addresses/verifytoken/ tokens of // authentication center server.
Step 209:Judge whether the token that system B is sent meets:The time for the token that the system B of receiving is sent and token Time difference of generation time be not more than token out-of-service time length, and the destination address that preserves and send token system ground Location is identical, if it is, performing step 210, otherwise, performs step 211.
Specifically, authentication center's server carries out ageing checking according to the generation time of token to the token received, Determine whether the token is effective.Authentication center's server according to the destination address of preservation, verify the token that receives whether with guarantor The destination address deposited is corresponding.
Authentication center's server can according to send token system set up session determine receive token come Source, that is, it can determine the address for the system that transmission gives token.
Step 210:User profile is sent to system B, so that system B creates the user conversation of user according to user profile.
Specifically, when system B receives the user profile that authentication center's server is sent, it is determined that authentication center services Device allows logging in system by user B.System B creates user conversation according to user profile so that the user can sign in system B, Realization is interacted with system B's.
Step 211:Forbid logging in system by user B, terminate current process.
In embodiments of the present invention, authentication center's server produce token have it is ageing, while being only used for one The single-sign-on of system, authentication center's server can verify the timeliness of token when being connected to token authentication request, and be treated according to sending Whether the address validation of the system of the token of the checking system is the system to be signed in.By these mechanism, single-point is being realized While login, third party's Malware can be avoided to intercept and capture token and for the possibility of other purposes, with very high peace Quan Xing.
As shown in figure 3, the embodiments of the invention provide a kind of authentication center's server, including:
First receiving unit 301, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit 302, the user profile of the corresponding user of request for obtaining the application token;
Generation unit 303, for the request according to the application token, generates token;
Storage unit 304, authentication information and the user profile for preserving the token;
Transmitting element 305, sends the token, so that described initiate to log in for the system to the initiation logging request The system of request sends the token to the system to be signed in;
Second receiving unit 306, for receiving the token that the system to be signed in is sent;
Authentication unit 307, for the authentication information of the token according to preservation, sends to the system to be signed in The token verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, The user profile is sent to the system to be signed in, so that the system to be signed in is created according to the user profile Build the user conversation of the user.
In an embodiment of the present invention, the request of the application token includes:To be logged in described in the token is corresponding The destination address of the system arrived;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than described Token out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is, The token that the system to be signed in described in judging is sent is by checking, otherwise, it is determined that the system to be signed in is sent The token not over checking.
As shown in figure 4, in an embodiment of the present invention, authentication center's server further comprises:3rd receiving unit 401, the user authentication information for receiving user's input;
Identity authenticating unit 402, for carrying out authentication to the user according to the user authentication information, when described When user is by authentication, first receiving unit is triggered, when the user is not over authentication, terminates current Flow.
In an embodiment of the present invention, authentication center's server, the authentication unit, are further used for working as the token During by verifying, the token is destroyed.
The embodiments of the invention provide a kind of system of single-sign-on, including:
Any described authentication center's server in the embodiment of the present invention, at least one be provided with logging request blocker System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to step on The system recorded;
Logging request blocker in the system for initiating logging request, for being sent to authentication center's server Apply for the request of token, receive the token that authentication center's server is sent, the token, which is sent to, described will sign in System;
Logging request blocker in the system to be signed in, the system hair for intercepting the initiation logging request The token come, sends the token to authentication center's server, is sent when receiving authentication center's server User profile when, according to the user profile create user conversation.
In embodiments of the present invention, it is that the system that each user can be arrived with single-sign-on sets logging request blocker, should The operation logic realized and logged in needed for single-sign-on using the system of this single-sign-on is encapsulated in logging request blocker, often Individual user can with single-sign-on to system by easy configuration be that unified certification and single-sign-on services can be achieved, greatly letter Change the implementation process of single-sign-on, save implementation cost.
A kind of system of single-sign-on provided in an embodiment of the present invention provides authentication service and interception service, authentication service By authentication center, server is realized, interception service is realized by logging request blocker.Authentication service can be deployed to individually WEB application, is serviced to system with user certification that can be arrived for each user with single-sign-on etc..
As shown in figure 5, the embodiments of the invention provide a kind of system of single-sign-on, including:
Any described authentication center's server 501 in the embodiment of the present invention, initiate the system 502 of logging request and to step on The system 503 recorded, initiating the system 502 of logging request includes logging request blocker 5021, the system 503 to be signed in Include logging request blocker 5031.
In an embodiment of the present invention, the logging request blocker in the system for initiating logging request, for receiving The request for the system to be signed in described in the login that user sends, judges whether the user has logged in authentication center's service Device, if it is, the request for being sent to authentication center's server and applying for token is performed, otherwise, by user weight The login interface of authentication center's server is directed to, so that described input user authentication information by the login interface;
Authentication center's server, is further used for testing by the user that the login interface receives user's input Demonstrate,prove information;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, held Described receive of row initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication When, terminate current process.
In embodiments of the present invention, authentication center's server can provide account management service, user's checking service, token Management service.Wherein, based on account management service, authentication center's server can be realized to be managed to the account of user, can To set the authentication mode for needing to use to user.Based on user's checking service, authentication center's server can be realized to user Carry out authentication, can provide user name+password, CA (Certificate Authority, digital certificate authentication center), The various ways such as USB KEY.Wherein, can be account and password of user etc. with the user authentication information of input.Based on token Management service, authentication center's server can realize the functions such as the generation of token, the checking of token, the destruction of token.
In embodiments of the present invention, when user is by authentication, the user can be created in authentication center's server Session, and the user is redirected to the logging request blocker in the system for initiating logging request, initiating logging request is The address that logging request blocker in system creates the user conversation of the user and user guiding was originally asked to it.
In embodiments of the present invention, when user is from a system for deploying logging request blocker, single-sign-on is arrived During another system, logging request blocker must be disposed in the two systems.
In embodiments of the present invention, when user initiates single-sign-on from a system for deploying logging request blocker When asked, it is necessary to send a single-sign-on for containing customizing messages to the system, contained in the customizing messages and want single-point The address of the system signed in, and represent that this request is the markup character string of single-sign-on request;The logging request blocker Intercept after this request, a token can be asked to authentication center's server, and token is received and sent by a specific chain To the system for wanting single-sign-on to arrive.
Wherein, the single-sign-on request of user's hair can be accomplished by the following way:
http(s):Host addresses/tokensso of the system of // initiation logging requestThe url=systems to be signed in Address
" tokensso " the instruction manual therein request is single-sign-on request.
In embodiments of the present invention, logging request blocker can be the intercepting component of a http request.It is mainly made With being whether checking user logs in, and authentication center server is called to complete single-sign-on.Logging request blocker encapsulates Three method, systems realize all logics of single-sign-on.
The embodiment of the present invention significantly reduces other systems due to interrelated logic has been encapsulated in logging request blocker Application difficulty, by set i.e. can be used, mainly implementation steps are as follows:
The web applications of authentication center's server are disposed, and complete user initially, and token validity set of time.
Logging request blocker is disposed in the application system bin catalogues for realize single-sign-on using the embodiment of the present invention Dll, and add in web.config following information:
<httpModules>
<Add name=" SSOProvider " type=" Inspur.SSO.Provider, Inspur.SSO "/>
</httpModules>
The embodiments of the invention provide a kind of computer-readable recording medium, including execute instruction, when the computing device of storage control During the execute instruction, the method that the storage control performs any single-sign-on in the embodiment of the present invention.
The embodiments of the invention provide a kind of storage control, including:Processor, memory and bus;
The memory is used to store execute instruction, and the processor is connected with the memory by the bus, when During the storage control operation, the execute instruction of memory storage described in the computing device, so that the storage The method that controller performs any single-sign-on in the embodiment of the present invention.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
Each embodiment of the invention at least has the advantages that:
1st, in embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received To token be sent to authentication center's server and verified, only by checking after, the system to be signed in just can be for should User creates user conversation, realizes User logs in the system to be signed in, if user does not have token, or token does not lead to Checking is crossed, the system that can not be all signed in improves the security of single-sign-on.
2nd, in embodiments of the present invention, authentication center's server produce token have it is ageing, while being only used for one The single-sign-on of individual system, authentication center's server can verify the timeliness of token when being connected to token authentication request, and according to sending Whether the address validation of the system of the token to be verified system is the system to be signed in.It is single realizing by these mechanism While point is logged in, third party's Malware can be avoided to intercept and capture token and for the possibility of other purposes, with very high Security.
3rd, in embodiments of the present invention, it is that the system that each user can be arrived with single-sign-on sets logging request blocker, The operation logic realized and logged in needed for single-sign-on using the system of this single-sign-on is encapsulated in the logging request blocker, Each user can with single-sign-on to system by easy configuration be achievable unified certification and single-sign-on services, greatly The implementation process of single-sign-on is simplified, implementation cost has been saved.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non- It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements, But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment Some key elements.In the absence of more restrictions, by sentence, " including the key element that a 〃 " is limited is not arranged Except also there is other identical factor in the process including the key element, method, article or equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in the storage medium of embodied on computer readable, the program Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:ROM, RAM, magnetic disc or light Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention, Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.

Claims (10)

1. a kind of method of single-sign-on, it is characterised in that applied to authentication center's server, including:
Receive and initiate the request for applying for token that the system of logging request is sent;
Obtain the user profile of the corresponding user of request of the application token;
According to the request of the application token, token is generated;
Preserve the authentication information and the user profile of the token;
The token is sent to the system of the initiation logging request, so that the system for initiating logging request is to will sign in System send the token;
The token that the system to be signed in described in receiving is sent;
According to the authentication information of the token of preservation, the token that the system to be signed in is sent is verified, When the token is by verifying, it is allowed to the User logs in system to be signed in described in, to it is described to be signed in be System sends the user profile, so that the system to be signed in creates user's meeting of the user according to the user profile Words.
2. according to the method described in claim 1, it is characterised in that
The request of the application token includes:The destination address of the corresponding system to be signed in of the token;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:The system to be signed in is received to send Time difference of generation time of time and the token of the token be not more than the token out-of-service time length, and preservation System of the destination address with sending the token address it is identical, if it is, the system to be signed in described in judging The token sent is by checking, otherwise, it is determined that the token that the system to be signed in is sent is not over checking.
3. according to the method described in claim 1, it is characterised in that
Before the request for the application token that the system for receiving initiation logging request is sent, further comprise:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication, performed Described receive initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication, Terminate current process.
4. according to any described method in claim 1-3, it is characterised in that
Further comprise:When the token is by verifying, the token is destroyed.
5. a kind of authentication center's server, it is characterised in that including:
First receiving unit, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit, the user profile of the corresponding user of request for obtaining the application token;
Generation unit, for the request according to the application token, generates token;
Storage unit, authentication information and the user profile for preserving the token;
Transmitting element, the token is sent for the system to the initiation logging request, so that the initiation logging request System sends the token to the system to be signed in;
Second receiving unit, for receiving the token that the system to be signed in is sent;
Authentication unit, for the authentication information of the token according to preservation, the system to be signed in is sent described in Token is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to described The system to be signed in sends the user profile, so that the system to be signed in is according to being created the user profile The user conversation of user.
6. authentication center's server according to claim 5, it is characterised in that
The request of the application token includes:The destination address of the corresponding system to be signed in of the token;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive described The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than the token Out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is, judging The token that the system to be signed in is sent is by checking, otherwise, it is determined that the institute that the system to be signed in is sent Token is stated not over checking.
7. authentication center's server according to claim 5, it is characterised in that
Further comprise:3rd receiving unit, the user authentication information for receiving user's input;
Identity authenticating unit, for carrying out authentication to the user according to the user authentication information, when the user is logical When crossing authentication, first receiving unit is triggered, when the user is not over authentication, terminates current process.
8. according to any described authentication center's server in claim 5-7, it is characterised in that
The authentication unit, is further used for when the token is by verifying, destroys the token.
9. a kind of system of single-sign-on, it is characterised in that including:
Authentication center's server as described in any in claim 5-8, at least one be provided with logging request blocker be System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to sign in System;
Logging request blocker in the system for initiating logging request, applies for being sent to authentication center's server The request of token, receives the token that authentication center's server is sent, by the token be sent to it is described to be signed in be System;
Logging request blocker in the system to be signed in, sends for intercepting the system of the initiation logging request The token, the token is sent to authentication center's server, when receiving the use that authentication center's server is sent During the information of family, user conversation is created according to the user profile.
10. system according to claim 9, it is characterised in that
Logging request blocker in the system for initiating logging request, will be logged in for receiving described in the login that user sends The request of the system arrived, judges whether the user has logged in authentication center's server, if it is, performing described to institute The request that authentication center's server sends application token is stated, otherwise, the user authentication center's server is redirected to Login interface so that it is described pass through the login interface input user authentication information;
Authentication center's server, is further used for receiving the user's checking letter that the user inputs by the login interface Breath;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, institute is performed State the request for receiving the application token that the system for initiating logging request is sent, when the user is not over authentication, knot Beam current process.
CN201710084420.6A 2017-02-16 2017-02-16 A kind of method and system of single-sign-on, a kind of authentication center's server Pending CN107070880A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710084420.6A CN107070880A (en) 2017-02-16 2017-02-16 A kind of method and system of single-sign-on, a kind of authentication center's server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710084420.6A CN107070880A (en) 2017-02-16 2017-02-16 A kind of method and system of single-sign-on, a kind of authentication center's server

Publications (1)

Publication Number Publication Date
CN107070880A true CN107070880A (en) 2017-08-18

Family

ID=59621390

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710084420.6A Pending CN107070880A (en) 2017-02-16 2017-02-16 A kind of method and system of single-sign-on, a kind of authentication center's server

Country Status (1)

Country Link
CN (1) CN107070880A (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911363A (en) * 2017-11-14 2018-04-13 福建中金在线信息科技有限公司 User information store method, device and server
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium
CN109347864A (en) * 2018-11-22 2019-02-15 杭州迪普科技股份有限公司 Single-point logging method and device based on Virtual Private Network
WO2019095567A1 (en) * 2017-11-15 2019-05-23 平安科技(深圳)有限公司 Single sign-on verification device, method, and computer readable storage medium
CN109802835A (en) * 2019-01-25 2019-05-24 北京中电普华信息技术有限公司 A kind of safety certifying method, system and API gateway
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110247907A (en) * 2019-06-10 2019-09-17 深兰科技(上海)有限公司 A kind of multi-application platform access method, apparatus and system
CN110430205A (en) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110781482A (en) * 2019-10-12 2020-02-11 广州酷旅旅行社有限公司 Login method, login device, computer equipment and storage medium
CN110855640A (en) * 2019-10-30 2020-02-28 北京市天元网络技术股份有限公司 CAS-based login credential destruction method and device
CN111949955A (en) * 2020-07-30 2020-11-17 山东英信计算机技术有限公司 Single sign-on method, device and equipment for web system and readable storage medium
CN112087425A (en) * 2020-07-30 2020-12-15 山东浪潮通软信息科技有限公司 Login method, equipment and medium of ERP software system
CN112104641A (en) * 2020-09-11 2020-12-18 中国联合网络通信集团有限公司 Login form conversion method and device, storage medium and electronic equipment
CN112231691A (en) * 2020-09-29 2021-01-15 新华三信息安全技术有限公司 Equipment login method, device and system
CN112328991A (en) * 2020-11-06 2021-02-05 广州朗国电子科技有限公司 Cross-system single sign-on method based on face recognition and storage medium
CN112364334A (en) * 2020-11-09 2021-02-12 成都卫士通信息产业股份有限公司 Single sign-on method and device, electronic equipment and storage medium
CN112487390A (en) * 2020-11-27 2021-03-12 网宿科技股份有限公司 Micro-service switching method and system
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN113055371A (en) * 2021-03-09 2021-06-29 上海明略人工智能(集团)有限公司 Login authentication method and system for Internet of things TCP (Transmission control protocol) equipment
CN113536250A (en) * 2021-06-02 2021-10-22 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
US11159512B1 (en) 2020-05-21 2021-10-26 Citrix Systems, Ine. Cross device single sign-on
CN113569274A (en) * 2021-06-07 2021-10-29 飞友科技有限公司 Registration-login-free form filling method and device
CN114143053A (en) * 2021-11-24 2022-03-04 国云科技股份有限公司 Third-party service login method and device, terminal equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080059804A1 (en) * 2006-08-22 2008-03-06 Interdigital Technology Corporation Method and apparatus for providing trusted single sign-on access to applications and internet-based services
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN102624720A (en) * 2012-03-02 2012-08-01 华为技术有限公司 Method, device and system for identity authentication
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080059804A1 (en) * 2006-08-22 2008-03-06 Interdigital Technology Corporation Method and apparatus for providing trusted single sign-on access to applications and internet-based services
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
CN102624720A (en) * 2012-03-02 2012-08-01 华为技术有限公司 Method, device and system for identity authentication
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911363A (en) * 2017-11-14 2018-04-13 福建中金在线信息科技有限公司 User information store method, device and server
WO2019095567A1 (en) * 2017-11-15 2019-05-23 平安科技(深圳)有限公司 Single sign-on verification device, method, and computer readable storage medium
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium
CN109347864A (en) * 2018-11-22 2019-02-15 杭州迪普科技股份有限公司 Single-point logging method and device based on Virtual Private Network
CN109802835A (en) * 2019-01-25 2019-05-24 北京中电普华信息技术有限公司 A kind of safety certifying method, system and API gateway
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110247907A (en) * 2019-06-10 2019-09-17 深兰科技(上海)有限公司 A kind of multi-application platform access method, apparatus and system
CN110430205A (en) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110781482B (en) * 2019-10-12 2021-06-18 广州酷旅旅行社有限公司 Login method, login device, computer equipment and storage medium
CN110781482A (en) * 2019-10-12 2020-02-11 广州酷旅旅行社有限公司 Login method, login device, computer equipment and storage medium
CN110855640A (en) * 2019-10-30 2020-02-28 北京市天元网络技术股份有限公司 CAS-based login credential destruction method and device
US11159512B1 (en) 2020-05-21 2021-10-26 Citrix Systems, Ine. Cross device single sign-on
US11743247B2 (en) 2020-05-21 2023-08-29 Citrix Systems, Inc. Cross device single sign-on
WO2021232347A1 (en) * 2020-05-21 2021-11-25 Citrix Systems, Inc. Cross device single sign-on
CN111949955A (en) * 2020-07-30 2020-11-17 山东英信计算机技术有限公司 Single sign-on method, device and equipment for web system and readable storage medium
CN112087425A (en) * 2020-07-30 2020-12-15 山东浪潮通软信息科技有限公司 Login method, equipment and medium of ERP software system
CN112087425B (en) * 2020-07-30 2022-11-29 浪潮通用软件有限公司 Login method, equipment and medium of ERP software system
CN111949955B (en) * 2020-07-30 2022-06-17 山东英信计算机技术有限公司 Single sign-on method, device and equipment for web system and readable storage medium
CN112104641A (en) * 2020-09-11 2020-12-18 中国联合网络通信集团有限公司 Login form conversion method and device, storage medium and electronic equipment
CN112104641B (en) * 2020-09-11 2022-07-29 中国联合网络通信集团有限公司 Login form conversion method and device, storage medium and electronic equipment
CN112231691A (en) * 2020-09-29 2021-01-15 新华三信息安全技术有限公司 Equipment login method, device and system
CN112328991A (en) * 2020-11-06 2021-02-05 广州朗国电子科技有限公司 Cross-system single sign-on method based on face recognition and storage medium
CN112364334A (en) * 2020-11-09 2021-02-12 成都卫士通信息产业股份有限公司 Single sign-on method and device, electronic equipment and storage medium
CN112487390A (en) * 2020-11-27 2021-03-12 网宿科技股份有限公司 Micro-service switching method and system
CN112685719A (en) * 2020-12-29 2021-04-20 武汉联影医疗科技有限公司 Single sign-on method, device, system, computer equipment and storage medium
CN113055371A (en) * 2021-03-09 2021-06-29 上海明略人工智能(集团)有限公司 Login authentication method and system for Internet of things TCP (Transmission control protocol) equipment
CN113536250A (en) * 2021-06-02 2021-10-22 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
CN113536250B (en) * 2021-06-02 2023-07-04 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
CN113569274A (en) * 2021-06-07 2021-10-29 飞友科技有限公司 Registration-login-free form filling method and device
CN114143053A (en) * 2021-11-24 2022-03-04 国云科技股份有限公司 Third-party service login method and device, terminal equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107070880A (en) A kind of method and system of single-sign-on, a kind of authentication center&#39;s server
US20200162583A1 (en) Secure client-server communication
CN105007280B (en) A kind of application login method and device
CN104219316B (en) A kind of call request processing method and processing device in distributed system
CN111062023B (en) Method and device for realizing single sign-on of multi-application system
CN104113551B (en) A kind of platform authorization method, platform service end and applications client and system
CN112997153B (en) System and method for consistent execution policy across different SAAS applications via embedded browser
CN110351228A (en) Remote entry method, device and system
CN106936853A (en) A kind of system-oriented integrated cross-domain single login system and method
CN106470190A (en) A kind of Web real-time communication platform authentication cut-in method and device
CN106487774A (en) A kind of cloud host services authority control method, device and system
CN102469075A (en) Integration authentication method based on WEB single sign on
CN106790272A (en) A kind of system and method for single-sign-on, a kind of application server
CN105897757B (en) Authorization identifying system and authorization and authentication method
CN107294916A (en) Single-point logging method, single-sign-on terminal and single-node login system
CN111092910B (en) Database security access method, device, equipment, system and readable storage medium
CN108234509A (en) FIDO authenticators, Verification System and method based on TEE and PKI certificates
CN103747076B (en) Cloud platform access method and device
CN110311926A (en) A kind of application access control method, system and medium
CN106331003A (en) Method and device for accessing application portal system on cloud desktop
CN102271136A (en) Access control method and equipment under NAT (Network Address Translation) network environment
CN109726531A (en) A kind of marketer terminal security control method based on block chain intelligence contract
CN109040069A (en) A kind of dissemination method, delivery system and the access method of cloud application program
CN105354482A (en) Single sign-on method and device
CN109962892A (en) A kind of authentication method and client, server logging in application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170818